Thanks for your responses; I'll give your suggestions a try. I apologize that my criticism was not constructive. Here are two gaps that I discovered in the documentation almost right away:
- The section on realm authorization here <http://shiro.apache.org/realm.html#Realm-RealmAuthorization> simply says "TBD." - The section on caching authorization at the bottom of this page <http://shiro.apache.org/java-authorization-guide.html> also says "TBD." As I stated in my original post, the most difficult thing for me has been learning how to separate authentication and authorization. Both tutorials (the 10-minute <http://shiro.apache.org/10-minute-tutorial.html> and the webapp <http://shiro.apache.org/webapp-tutorial.html> ) start with authentication, which is totally natural. However, it was challenging for me to understand what portions of the authentication steps I could leave undone while still supporting authorization. My suggestion would be to provide more details, or perhaps even a separate tutorial, about how to perform /only/ authorization. This could be extremely helpful to anyone who wants their authentication to be handled by a different service. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-for-authorization-permissions-only-tp7579436p7579448.html Sent from the Shiro User mailing list archive at Nabble.com.
